Hashcat is a great, free tool competing head to head Both tools can use distributed networks to speed up with the tools we make. We charge several hundred the attacks, yet Hashcat needs a third-party tool for dollars for what, in the end, can be done with a free that. tool. What are the reasons for our customers to Both are thoroughly optimized to offer the highest choose ElcomSoft products instead of Hashcat, and performance on hundreds of file formats. On paper, is the expense justified? We did our best to compare the two tools have so many similarities they may the two tools to help you make the informed look alike. The usage experience in typical use cases, decision. however, could not be more different. Both Hashcat and Elcomsoft Distributed Password Recovery are tools for breaking passwords. Both tools can perform hardware-accelerated brute- We did our best to compare the two tools to force attacks using conventional video cards, and help you make the informed decision. both tools can do dictionary and smart attacks. SYSTEM REQUIREMENTS

Elcomsoft Distributed Password Recovery Hashcat Elcomsoft Distributed Password Recovery is a Windows only Hashcat is a cross-platform tool supporting all major versions of product. You need Windows 7, 8, 8.1 or Windows 10 to run both the Windows, macOS, and many Linux distributions. However, you’ll server and each of the clients. If you are using distributed attacks, be hard-pressed to find one single platform on which all of the each of the computers comprising the distributed network must Hashcat features work. From time to time, you’ll need Hashcat to run Windows. use several host operating systems to perform its duties. As an In addition to Windows, you need proper drivers. Elcomsoft example, you’ll need a Mac to extract encryption metadata from Distributed Password Recovery is comfortable with officially FileVault disks. released versions of NVIDIA drivers; we’ve seen no nasty surprises In addition to the host OS, you’ll also need the following to utilize with either Studio or Gaming drivers as long as they come with some or all Hashcat features. CUDA. AMD drivers are a bit sketchier, so we have to test major releases for compatibility. If you’re using a different GPU, the • git (optional but recommended) correct OpenCL driver must be installed in order for the hardware • Perl acceleration to work. • Python • C/C++ compiler, correctly configured and equipped with the required libraries. Some hash extraction utilities are available exclusively in source code with no precompiled binaries. HARDWARE ACCELERATION

Both tools advertise hardware acceleration to speed up brute-force attacks. The devil is in the detail.

Elcomsoft Distributed Password Recovery Hashcat Elcomsoft Distributed Password Recovery offers GPU acceleration Hashcat is decidedly GPU only. The tool requires an AMD or NVIDIA on NVIDIA video cards, while some formats can utilize AMD video card to work, and you’ll need a compatible version of the hardware. Our tool can also utilize OpenCL, the open standard graphic driver. Where Hashcat requires the use of the OpenCL for parallel programming of heterogeneous systems. Thanks runtime to interface with compatible CPUs (which we struggled to to OpenCL support, Distributed Password Recovery can utilize enable), Distributed Password Recovery addresses the CPU cores the GPU units found in many Intel processors, which can deliver directly, utilizes the native CUDA for interfacing with NVIDIA boards, several times the typical performance of CPU cores. Should GPU and uses OpenCL for everything else. acceleration be unavailable on a given system or for a given format, the tool transparently falls back to CPU-only implementation.

SUPPORTED FORMATS

Even the best password recovery tool is worth nothing if it does not • PGP secret key rings (.SKR) • macOS keychain password (GPU support that one encrypted data format you urgently need to break. (passphrase recovery) (GPU accelerated) On paper, Hashcat supports a larger number of formats compared accelerated) • BlackBerry backups (.IPD, .BBB) • PGP disks with conventional (password recovery) (GPU to our tool. While both Hashcat and Elcomsoft Distributed Password encryption (.PGD) (password accelerated) Recovery advertise hundreds of supported formats and generally recovery) (GPU accelerated) • FileMaker tick all the basics, our tool covers a few things that Hashcat does not. • PGP self-decrypting archives (.EXE) • Apple Disk Image (.DMG) passwords These include: (password recovery) • DashLane password manager • PGP whole disk encryption (password • Tally ERP 9 Vault passwords • Office 97/2003 (key search) • Hangul/Hancom Office (HanWord, HanCell) recovery) (GPU accelerated) • PDF with 40 bit encryption (key search) • PGP ZIP archives (.PGP) (password • Intuit Quicken • Apple iWork (Pages, Numbers, Keynote) recovery) SETTING UP AND INITIAL CONFIGURATION

Elcomsoft Distributed Password Recovery Hashcat The greater differences are experienced when setting up and Hashcat offers a typical Linux experience even if you are using it in configuring the tools for the first time. When installed on a single Windows. All goes well if you already have the compatible GPU with computer, Elcomsoft Distributed Password Recovery is essentially compatible drivers. Should something go wrong, and you may need a plug-and-play endeavor: you download the installation file, to spend extra time troubleshooting. This, for example, is what we’ve double-click to install, then launch the product from the Windows seen when trying to benchmark Hashcat on an Intel CPU in a Windows Start menu. That’s pretty much it; the tool automatically launches VM: the required components (the client, server, and interactive management console) and detects the available acceleration resources. By the time you see the main window, the tool is ready to run your first attack.

Apparently, an OpenCL runtime is required to run attacks on Intel CPUs. Obtaining OpenCL runtime for Intel Core was borderline amazing. The runtime is only available to developers with Intel To sum it up, you need a supported developer accounts. Registering the account and waiting for its OpenCL device to use Hashcat. NVIDIA approval took a day; however, we were still unable to run Hashcat on that computer even with the OpenCL runtime installed. boards are supported; you’ll need some To its credit, Hashcat would run normally in Windows once we luck for AMD or Intel. If you use Ubuntu, installed a compatible NVIDIA board. We could also launch Hashcat in you’ll require an NVIDIA board. Elcomsoft Linux using the same video card. This time the quest was less puzzling; Distributed Password Recovery, on the all that we needed to do was using the particular version of Ubuntu, carefully uninstalling the pre-installed NVIDIA drivers (a wrong move other hand, just… works. bricks the system), adding the recommended drivers repository and installing the recommended driver from that repository. Piece of cake if you use NVIDIA. We failed the quest when we tried using an AMD card though. WORKFLOW: LAUNCHING THE ATTACK

We have already noted that Hashcat is a command-line tool, while Elcomsoft Distributed Password Recovery is based on the GUI. You’d naturally expect some differences in the workflow, but there’s more to that than meets the eye. The two tools are very different from the get-go.

Hashcat Hashcat only attacks hashes; hence the name. You cannot just you name the files with hash data properly, you may get lost in point Hashcat to a ZIP file or a Word document. Instead, you must which hash belongs to which file. first run a separate third-party script to extract the hash from There is a positive side to hash-only recovery. You can keep the the file you’re about to attack. These scripts are not delivered original files and their hashes on different computers or even in with Hashcat, so you’ll have to look for them and obtain them different networks. You can extract hashes in one lab and run separately. As an example, when attacking a Microsoft Office the attack in another, or even send the hashes to a specialized document, you must first process the original document with password recovery service without the risk of leaking any personal office2hashcat.py. or confidential information. As you can see, the script is a Python script, which means you’ll have to install Python with a number of modules. On some systems, the pip module installer is not always installed with Python, so you’ll have to obtain and install that (note that the Elcomsoft Distributed Password Recovery workflow is different for the different host operating systems). Once you install Python, run the script and extract the hash, you’ll What about Elcomsoft Distributed Password Recovery? When receive the hash string, e.g. originally released, we aimed for simplicity, allowing to simply open a file to launch the attack, end of story. Distributed office$*2010*100000*128*16*a1688e8975694550a7a61b5 Password Recovery is smart enough to analyze the file’s content, While “office$*2010” suggests that the hash belongs to a document automatically detecting the correct file format even if the file was saved in a certain Microsoft Office format, Hashcat won’t take it renamed or has no extension. for granted. When running the attack, you’ll have to additionally Since May 2020, we are optionally offering tighter control over specify the “-m 9500” parameter in the command line, which personal information with attacks on encryption metadata. If you identifies the hash as an Office 2010 file. Why “9500”? Because prefer, you can use the straightforward classic workflow, but you are RTFM. no longer limited to that. You can also run the included Elcomsoft Dealing exclusively with hashes has its pros and contras. The Hash Extractor tool to extract encryption metadata (a.k.a. hashes) obvious drawback is the added complexity. If you have more than from certain file formats such as password manager databases a single document (or maybe several thousand files in various or the various office documents. For encrypted disks, you’d use formats), setting up the attack can take considerable time. Unless Elcomsoft Forensic Disk Decryptor instead, which is also included. DISTRIBUTED COMPUTING

Just as the name suggests, Elcomsoft Distributed Password Recovery is designed to work on distributed networks from the get-go. Hashcat supports hashtopolis (previously known as hashtopussy), which is a separate project that works as a wrapper to enable distributed computing.

Hashcat Enabling distributed computing with Hashcat requires installing a computer that runs agents, and you have to make sure there are no server module. The server is designed as a cross-platform module, unresolved issues with the drivers, OpenCL runtimes etc. yet the documentation is completely Linux-centric. In order to To sum it up, Hashcat can work in distributed networks, but rolling out install the server module, you will have to ensure that all of the the system is a pain. We found it’s easier to write our own tool instead. following components are installed and configured: • MySQL • Apache • PHP • Perl • Python Elcomsoft Distributed Password Recovery Elcomsoft Distributed Password Recovery installs the server After installing these packages (either individually or as the lamp- automatically. No configuration is required, but you can do some server package), you can install hashtopolis. You must have a fine-tuning. Agents can be manually installed or deployed silently clear understanding of Linux administration to install and run over the network through the Windows domain. Once installed, hashtopolis. The server can be controlled via the Web interface. the agents are immediately ready to work with zero configuration You will also need an agent installed on each computer that will required. become parts of the distributed network. The agent is a ZIP file that contains an app written in Python. The distribution kit is assembled dynamically for each agent; the server’s IP address will be hard coded. Just as the name suggests, In order to run each agent, you’ll need the Python environment. As a Elcomsoft Distributed Password Recovery result, agents are running in the user space. If you were using Windows is designed to work on distributed (which is already unlikely at this point), you’ll have a problem if you want agents running as system services (i.e. without an authenticated networks from the get-go. user session). Needless to say, you must also install Hashcat on each CLOUD COMPUTING

Elcomsoft Distributed Password Recovery Hashcat Elcomsoft Distributed Password Recovery supports two major Cloud computing in Hashcat is available through a separate, cloud providers offering Windows virtual machines: Amazon and third-party wrapper called hashtopolis. If you managed to set Microsoft Azure. We supply a ready-made, prepackaged image that up and configure hashtopolis on a local computer, you can can be deployed into Amazon cloud in several clicks. The agent probably do it in the cloud as well. There are no tools to simplify running in the newly created instance is automatically provided cloud deployment, so depending on your skills and experience with the server’s IP address. configuring Hashcat to work with cloud instances may take longer Installing EDPR agents into Microsoft Azure is also automated. The than you had originally expected. supplied script will automatically install the latest version of the agent to any number of existing (grouped) instances. The only input required is your Microsoft Azure authentication credentials (the login and password). The installation process is completely transparent.

Depending on your skills and experience configuring Hashcat to work with cloud instances may take longer than you had originally expected. THE ATTACKS

When recovering a tough password, almost everything depends on the quality of the wordlist and the type and configuration of the attack. Let us see how the two tools compare.

Elcomsoft Distributed Password Recovery Hashcat

Brute force and mask attacks Brute force and mask attacks

Plain brute force attacks almost never succeed on anything but the In Hashcat and hashtopolis, you specify the attack through the simplest passwords, yet they still might be effective against shorter command line or list the attacks in a text file. In Hashcat, brute passwords and uncomplicated protection. force attacks are a subset of the mask attack. As an example, if you Elcomsoft Distributed Password Recovery supports a similar want to try all passwords that consist of small Latin letters and are concept, but allows specifying the minimum and maximum 1 to 5 characters long, you can specify the following attack: password length as well as the character set either globally (for the ?l whole password) or in groups or characters, allowing to quickly ?l?l build an attack that takes into consideration the human factor. ?l?l?l ?l?l?l?l Brute-force and masks attacks are configured in the GUI. ?l?l?l?l?l If you are using hashtopolis, you’ll need to enter these five strings Dictionary attack into the corresponding text field.

Elcomsoft Distributed Password Recovery provides automatic dictionary distribution to all connected agents including those Dictionary attack working in the virtual instances. Dictionary attacks support a large number of pre-defined mutations, allowing to try the most The two tools implement dictionary attacks differently. Hashcat common combinations of dictionary words such as Password, accepts the dictionary as a wordlist, trying each entry the way it is password1, Pa$$w0rd, password1965 and a lot more. We stored in the dictionary. There are no pre-defined mutations and recommend our users trying a small dictionary with certain no ability to add a mask when running a dictionary attack (these mutations first, as this often finds frequently used passwords. are parts of the rule-based attack). No automatic distribution of the We also include the dictionary of the top 10,000 most popular dictionary file is available if you are running hashtopolis; agents will passwords from several major leaks, which may help breaking up only use the dictionaries that are already installed. to 30% of cases in English-speaking countries. This is a simple combination of two dictionary words from two dictionaries (same or different files). Both Hashcat and Combinator attack Elcomsoft Distributed Password Recovery support this attack.

Hybrid attack Rule-based attack

While both tools support hybrid attacks, the term is used in What Elcomsoft Distributed Password Recovery calls a “hybrid different meanings. attack” is classified as a “rule-based attack” in Hashcat. Hashcat-style hybrid attacks combine one dictionary word (from Otherwise, the implementations are very similar; we would even call a single dictionary) with one mask. This would be considered a them identical, as booth tools are following the same syntax as John particular case of a mask attack in Elcomsoft Distributed Password The Ripper, the tool that originated this attack. Recovery. In our tool, one can use multiple dictionaries, where any part of the mask can be a dictionary word. We believe that our solution has an edge over Hashcat here.

Booth tools support a wide range of attacks. Dare we say, setting up attacks in Elcomsoft Distributed Password Recovery is Attacks: conclusion simpler and more straightforward compared to Hashcat. Everything is configured from the graphical user interface. A live preview of sample passwords is displayed for every mask or mutation enabled. To its credit, Hashcat has the ability to run a set of several consecutive attacks, a feature that Elcomsoft Distributed Password Recovery lacks. One can, however, create multiple individual attacks on the password, and run them in the regular job queue. BENCHMARKS

If you read to this point, you must be interested which tool is faster. While Password Recovery offers a (very) slight edge over Hashcat thanks to the we could make and post numerous benchmarks, the truth is that both tools additional utilization of available CPU cores (Hashcat, as you remember, are highly optimized, and both can exploit the available hardware resources is GPU-only). Whichever tool you choose, you’ll be happy with its raw to the maximum. Trying over a hundred formats, we’ve seen performance performance – or, at least, it doesn’t get much better if you jump ship. fluctuations of around 10 per cent. For many formats, Elcomsoft Distributed

THE COSTS

If you are an open-source fan, you’re going to like this chapter; less so of you are a (paid) customer.

Elcomsoft Distributed Password Recovery Hashcat Elcomsoft Distributed Password Recovery is as much plug-and-play Hashcat is free. Hashcat, hashtopolis, most hash extraction as a forensic grade distributed computing tool can be. Installing the scripts and the host OS (Linux) are absolutely free to use, tool on a single computer is no different from installing any other modify, recompile, or make a custom version just for you, on one Windows program, while deploying agents to network computers condition: you do it yourself or you pay someone to do it for you. is similar to deploying any other package in your Windows domain. Using Hashcat requires skills and experience. Setting up Hashcat Prepackaged agents make cloud instances straightforward to on a single computer requires deeper skills, more experience set up and to use. The attacks are as fast or slightly faster than and quite some time. Preparing the tool to run on a distributed Hashcat, while being significantly easier to set up. network requires skills and experience in Linux administration, a That level of user-friendliness and simplicity comes at a cost. We lot of time and a bit of trial and error. Writing attack scripts takes charge $599 for a license covering the parallel use of 5 agents. If you time, and even adding an agent to hashtopolis when you expand are expanding into the cloud, you will notice the differences in cost your distributed network takes time. It takes time processing between Linux and Windows-powered VMs. disk images of encrypted disk, and it takes time to obtain hash extraction scripts for the occasional new file format. The cost of hardware should be the same for both products. The more and the faster video cards you install, the faster the attacks. TECHNICAL SUPPORT

Elcomsoft Distributed Password Recovery Hashcat Elcomsoft Distributed Password Recovery is supported by us via If you have a problem, Hashcat has a wide community of users and an the standard ticket system. We stand behind our product, quickly active forum where you can search for or post questions about issues. resolving the issues once they are reported. What you may not like is the answers. While we had no problem finding the answers to our issues (e.g. attacking a large ZIP archive), finding that what you want is simply not an option can be a little… discouraging.

THE EXTRA FEATURES

There are a few features that can greatly improve usability of Elcomsoft Distributed Password Recovery over Hashcat.

Password cache Running as a service If we find a password to one job, we add that password into a custom Elcomsoft Distributed Password Recovery agents do not require dictionary. Once the next job is started, we’ll try passwords from that an authenticated user session to work. Agents can run as a system dictionary first. This helps save time if the same password is reused service, starting along with the system. across multiple files or data formats. Hashcat can do the same in Linux. However, the Windows version requires an authenticated session to run hashtopolis Python scripts. Distributed updates When you update Elcomsoft Distributed Password Recovery, all Non-ASCII characters and Unicode support components of the distributed network are updated automatically Hashcat supports non-ASCII and Unicode characters, but adding including all connected agents. those to the attack requires a concise effort. If you want to add certain Hashtopolis makes updates a journey. While Hashcat and hashtopolis non-ASCII characters, you’ll have to use the --hex-charset option and can be updated automatically, updating the agents requires an effort. add the extra characters as HEX codes. If you want to use a dictionary You’ll have to manually stop each agent, obtain the updated version with non-ASCII words, you’ll have to do the same. from the server, and manually install it on each computer. Elcomsoft Distributed Password Recovery is Unicode throughout. CASE STUDY 1: BREAKING AN OFFICE 97/2003 DOCUMENT CASE STUDY 2: BREAKING ZIP PASSWORD

So you have successfully installed Hashcat, git and Python. Assuming that the The second case study deals with a ZIP archive protected with AES-256 Python installer had the required modules, you’re good to go and ready to encryption. launch an attack. In the first case study, we’ll try to break a document in the Office 97/2003 Hashcat format (the “.doc” extension; the file might have been saved in “Compatibility Hashcat requires the use of a third-party tool to extract hashes from the mode” by a newer version of Microsoft Office). The file is protected with a 40- target. This time around, you’ll need zip2john, which is a part of the John the bit RC4 key. Ripper package. When attacking ZIP encryption, a single small hash file is not enough. The Hashcat last step of the attack calculates hash sum of the entire encrypted file. The After processing the document with office2hashcat.py, we’ve got the hash. resulting hash file extracted with zip2john is about 2MB. However, we could Hashcat started the attack on the password; considering the (high) speed of not make Hashcat to open the file. The tool had crashed with the following the attack, we estimated the attack to complete in about 1 to 1.5 years. error: Counted lines in c:\hashcat-6.1.1\z2.hash... Oversized line detected! Truncated Elcomsoft Distributed Password Recovery 402236 bytes Elcomsoft Distributed Password Recovery correctly recognized the file format We tried finding a solution (here and here), but the only kind of solution we and offered an option to brute-force the 40-bit encryption keys. The estimated found was this: recovery time was 48 hours using a CPU alone. Note that the same document can be recovered in a matter of minutes if you use the Thunder Tables attack in hashcat supports a data length of about 8 KB (compressed of course) for -m Advanced Office Password Breaker. 13600 = Winzip Unfortunately, for -m 13600 you need the whole data_buf (encrypted and compressed data) to verify if the password is correct. (github) We’ve been unable to launch the attack on the ZIP file with Hashcat. Elcomsoft Distributed Password Recovery Elcomsoft Distributed Password Recovery was able to open that ZIP archive and run the attack in a matter of seconds. CASE STUDY 3: BREAKING VERACRYPT

In the third case study, we’ll try breaking the password to a VeraCrypt The same procedure should also work for VeraCrypt volumes (but you container. need to adapt the hash mode to -m 137XY - see the --help output for all the Hashcat supported hash modes for VeraCrypt and the correct values for X and Y). Additional troubles arise when you try to extract hashes from VeraCrypt On paper, Hashcat had been offering support for VeraCrypt containers long volumes stored inside a forensic disk image. If this is the case, you may have before we did it in Elcomsoft Distributed Password Recovery, so we expect a to mount the disk image, calculate the address of the last sector of the first well-ironed solution. We didn’t have much trouble running the attack on the track on the disk, then extract the required binary data. We understand the hash file extracted from the VeraCrypt container. In this regard, Hashcat is a theory but decided to skip this exercise due to lack of motivation. fast and mature solution for breaking encrypted containers. What we did have a problem with was producing the required hash file to launch the attack. Elcomsoft Distributed Password Recovery If you are attacking an encrypted container (the file), all you need are the first 512 It is exactly this kind of exercise we wanted to skip when developing bytes of the file. In the case of full-disk encryption, you will also need to extract Elcomsoft Distributed Password Recovery. In order to extract encryption the 512 bytes; however, the extraction process is somewhat more complicated. metadata from one or several encrypted disks, you will need to open the The Hashcat Wiki has the following explanation: physical device or forensic disk image in the included Elcomsoft Forensic Disk 1. for a TrueCrypt boot volume (i.e. the computer starts with the TrueCrypt Boot Decryptor (or boot the computer with Elcomsoft System Recovery). Simply Loader) you need to extract 512 bytes starting with offset 31744 (62 * 512 ticking the required disk(s) in the GUI will do the trick. bytes). This is true for TrueCrypt 7.0 or later. For TrueCrypt versions before 7.0 there might be different offsets. Explanation for this is that the volume header (which stores the hash info) is located at the last sector of the first track of the system drive. Since a track is usually 63 sectors long (1 sector is 512 bytes), the volume header is at sector 63 - 1 (62). 2. if TrueCrypt uses a hidden partition, you need to skip the first 64K bytes (65536) and extract the next 512 bytes. dd if=hashcat_ripemd160_AES_hidden.raw of=hashcat_ripemd160_AES_ hidden.tc bs=1 skip=65536 count=512 3. in all other cases (files, non-booting partitions) you need the first 512 Bytes of the file or partition. As we already said in the beginning, Hashcat is a great tool and a strong competitor. Many of the differences are in the areas of usability and things actually working, let alone working out of the box. Where Elcomsoft Distributed Password Recovery just works the way you expect it to, you may have to spend a bit of time CONCLUSION to make Hashcat work. These bits of time quickly accumulate, turning into multiple man-hours spent on setting up and configuring the distributed network, updating agents, distributing dictionaries across remote agents, finding and using hash extraction tools and overcoming the various obstacles, some of which we have described in this article.

www.elcomsoft.com blog.elcomsoft.com [email protected]